Problem with using DKIM

DutchLearner · Jul 30, 2016

I'm having a problem with sending e-mails directly from the mailserver to Microsoft mail accounts (Live, Outlook, Hotmail, etc). These e-mails are being send from [email protected] (this is an example, but the 'mail'-subdomain is included in the full address). When the mail arrives, it says that the SPF record has been passed, but DKIM doesn't show up. See here:

Code:

CMM-Authentication-Results: hotmail.com; spf=pass (sender IP is redacted)
[email protected]; dkim=none
header.d=xampledomain.net; x-hmca=none
[email protected]

I followed this tutorial to set up the DKIM:

https://help.directadmin.com/item.php?id=569

I verified that it has been enabled:

Code:

[root@VPS /]# cat /usr/local/directadmin/conf/directadmin.conf | grep dkim
dkim=1

I then went to the admin panel, User Level, and coppied the whole record to the DNS-configuration at my provider. Note that I'm using a VPS myself. When I dig it through the command line, I see that it resolves:

Code:

[root@VPS /]# dig txt x._domainkey.mail.example.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> txt x._domainkey.mail.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15635
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;x._domainkey.mail.example.com. IN  TXT

;; ANSWER SECTION:
x._domainkey.mail.example.com. 617 IN TXT   "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAru6kqwqnkt1krh/eKle/cP1+wK/lbA4aD1enQUm24BOHjiEQI3/7WB5O1UAZi4f4DZ0sQP3PVJreEZBqtL5dl+d eoU/Qj9oL+qCAe7IHdNgFW3/Fzg3ke8aOvWsPC8o0M5VvYAfibgcFpLCvu5BUqYwqvME3oU7WNK7OSjtPinf1wbFKEGUIh9ZzUcib0JO3" "gRzIxf6qXXu8htmFiNnInPDKHsn4oIioI5gWHiyKXs/EB GupIxrFJOlFmX213iYv/O9W3zpIz/+lOredactedforpurposesrTZgzDIyAb2HXZeSAmT0Rcp/mFMF5dPZw1KA6m/dkmqvwIDAQAB"

What am I missing here, why does Microsoft keep telling me that DKIM is not enabled?

SeLLeRoNe · Aug 1, 2016

Are you using latest exim.conf and exim.pl versions?

If you're using custombuild 2.x i would suggest to set:

Code:

eximconf=yes
eximconf_release=4.4
blockcracking=yes
easy_spam_fighter=yes
spamassassin=yes

Than run

Code:

/usr/local/directadmin/custombuild/build exim
/usr/local/directadmin/custombuild/build exim_conf

Also you can use this website to check the status of your server:
https://www.mail-tester.com/

Regards

nmb · Aug 1, 2016

Please check if you have file below :

/etc/exim.dkim.conf

I just installed a new server and found that I had to manually download that file into my server.

Also, check installation guide here -> https://help.directadmin.com/item.php?id=569

SeLLeRoNe · Aug 1, 2016

I guess he has that file because he followed the same guide

Regards

DutchLearner · Aug 3, 2016

SeLLeRoNe said:
Are you using latest exim.conf and exim.pl versions?

If you're using custombuild 2.x i would suggest to set:

Code:

eximconf=yes eximconf_release=4.4 blockcracking=yes easy_spam_fighter=yes spamassassin=yes

Than run

Code:

/usr/local/directadmin/custombuild/build exim /usr/local/directadmin/custombuild/build exim_conf

Also you can use this website to check the status of your server:
https://www.mail-tester.com/

Regards

Thanks a lot for your detailed answer! This is exactly what I was looking for. I currently have these settings in my Custombuild 2 settings:

#Mail Settings
exim=no
eximconf=no
eximconf_release=4.4
blockcracking=no
easy_spam_fighter=no
spamassassin=yes
sa_update=daily
dovecot=yes
dovecot_conf=yes
pigeonhole=no

Can I change the settings without any issues? What would the side-effects be of your proposed change?

SeLLeRoNe · Aug 3, 2016

Well it shouldn't have problem, the main difference you may have is that you may need to set authentication for your outgoing mail on you (and your customers) clients.

Regards

DutchLearner · Aug 3, 2016

SeLLeRoNe said:
Well it shouldn't have problem, the main difference you may have is that you may need to set authentication for your outgoing mail on you (and your customers) clients.

Regards

Thank you for your reply. I'm currently running using my hostname as the mailserver address, and linked a Let's Encrypt SSL certificate to it. I'll find out how it works and have a snapshot of the system just in case things break. I'll report back with my findings once I now more.

SeLLeRoNe · Aug 3, 2016

That's not a problem

Regards

DutchLearner · Aug 4, 2016

SeLLeRoNe said:
That's not a problem

Regards

I'm afraid this didn't solve the issue. Mail tester says the following:

-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See immediately below.
0.001 SPF_HELO_PASS SPF: HELO matches SPF record
-0.01 T_DKIM_INVALID Your DKIM signature is not valid
Have a look at our DKIM test below to know why
-0.01 T_SPF_TEMPERROR SPF: test of record failed (temperror)

Also see the image below. It says that I need to wait, but these DNS-records were made over 72 hours ago. They are already active and can be resolved when "digging" them manually.

http://imgur.com/a/o8Knj

DutchLearner · Aug 22, 2016

SeLLeRoNe said:
That's not a problem

Regards

I assume you didn't see my last reply since it was approved a few weeks after I wrote it. Could you take a look? Thanks in advance!

SeLLeRoNe · Aug 22, 2016

I didn't because i was in holiday, back to work since today

Are you sure you pasted the TXT record all on a single line?

You should provide the domain for better investigation, hide the IP from the screenshot and/or the domain will just make things more complicated...

Regards

DutchLearner · Aug 22, 2016

SeLLeRoNe said:
I didn't because i was in holiday, back to work since today

Are you sure you pasted the TXT record all on a single line?

You should provide the domain for better investigation, hide the IP from the screenshot and/or the domain will just make things more complicated...

Regards

Would it be alright if I supplied you with the domain and IP-address by private message?

SeLLeRoNe · Aug 22, 2016

Sure, but still i don't see the problem, are public IP and domains

DutchLearner · Aug 22, 2016

The domain in question is torasko.com, but I have the same issue on other domains that are running on the same server. I hope this helps.

SeLLeRoNe · Aug 22, 2016

The SPF record seems to be fine to me, but i cannto find the DKIM key in your DNS.

Regards

DutchLearner · Aug 22, 2016

That's weird. It resolves for me. See the following:

[mister@colonel /]# dig txt +short x._domainkey.torasko.com
"v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7H56aZTAflokt6/GnoDDZ2pFp4qYy35GQV2dAszVcT5cTf1RuT5dy1NhIXi+ZwOvfIsOPn4MynbP7qC5duN62JT hEfo3U/JJ0zC9mqXEL35A29FmqfyPQarE5C/GzrjvX9ONl9LS5atEmlD9C35j/0aOq9HKkcnmOzDv6fB3rGXVrJToytTUgfSbbVIcfDD8" "8E+MtRCipbjWuyJIm1anixopW0Sm+6pLr2JSypOWnYcqY 1Pf+tFQNSa4DM79+NULhxoytSsULmfmWD40tr9PDMkK+OtQw8p6MYrKLMa0uxgT+RW/8eAh/bZvCmV5k1PIo4NdRPlgmp44n5SskiSmlQIDAQAB"

SeLLeRoNe · Aug 22, 2016

Yep, you're right, typo on my side

Apparently your DKIM record is fine:
http://mxtoolbox.com/SuperTool.aspx?action=dkim:torasko.com&run=toolpage

Can you please send a test mail to me so i can read the headers?

Regards

DutchLearner · Aug 22, 2016

I've send you an e-mail, also including the Mail-Tester results. Thank you for your time so far! It's greatly appreciated.

SeLLeRoNe · Aug 22, 2016

As far as i can see from your e-mail everything seems to be ok, can you test again with mail-tester.com?

Regards

DutchLearner · Aug 22, 2016

I’m afraid it’s the same. See: https://www.mail-tester.com/web-3WCEKY. I think this could be a false message, since everything should be active. The SPF-record should also be fine, only allowing the IP-address from my mailserver.

Problem with using DKIM

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User

Super Moderator

Verified User